3. SMI到底是軟還是硬呢XD?可軟可硬
• SMM code completely unaccessible from OS and OS can’t even notice
when exactly SMI is being executed. There’s a several ways to
generate SMI:
• Ring 0 code can trigger software SMI at any time by writing some byte value
to APMC I/O port B2h.
• Internal chipset registers (SMI_EN, GEN_PMCON_1 and others) that
accessible via PCI config space allows to enable or disable different kind of
hardware SMI sources.
• You can route hardware interrupts into SMM by reconfiguring of advanced
programmable interrupt controller (APIC) that integrated into CPU.
• I/O instruction restart CPU feature (chapter 34.12 of IA-32 Architectures
Software Developer’s Manual) allows to generate SMI on any I/O port access
by IN or OUT processor instruction.
節錄Building reliable SMM backdoor for UEFI based platforms
4. Outline
•The memory sinkhole
•Undefined behavior: what happed to my code
•The impact of GPU-assisted malware on memory
forensics: a case study
•SLOTH
•ATM
HTTPS bicycle attack
5. The Memory Sinkhole
• In Intel, Ring 3 – Userland, Ring 0 – Kernel, Ring-1 - Hypervisor, Ring-2 –
SMM has the firmware, all the most critical security checks
• SMM hides from Ring 0
• System Management RAM (SMRAM) is only accessible to SMM
• SMM handler
• System Management Interrupt (SMI) toggles SMM
• SMM handler
• 抓DSC structure(Global Descriptor Table, Segment selectors,..)來對此結構初始化
• Attack技巧
• 使用APIC remap,把APIC payload (都為0)對應至DSC structure (SMRAM)
• 經過SMM handler執行完會跳至0x10:0x8077的位置去執行。
12. PIC/GSM Address Space Layout on Intel
Haswell
• PIC bus for GPU or DMA
• CPU view
• MMIO有一部分保留給PIC bus
• DRAM view
• MMIO記憶體範圍是看不到的,所以就看不到PIC bus
• Intel解法
• 在CPU view上設定位置TOLUD至4GB給MMIO,所以DRAM view
就可以看到相同的位置空間。
• Graphic Stolen Memory (GSM)
• CPU view大部分不能存取的,有GTT部分可以存取。
• 組成
• Graphics Translation Tables (GTT) : 告知GPU virtual-to-physical
可由BIOS階段設定
• Data Range (programming space)
13. The Impact of GPU-assisted Malware on
Memory Forensics: a Case Study
• 建立buffer object 在Graphics Execution Manage (GEM) subsystem(不
在GSM裡),可被CPU和GPU domains看到,使用不同的virtual
address
• OS page table
• graphic page table
• 攻擊手法
• GPU修改在GSM的graphic page table,原本對應 buffer object但可經由修
改存取到CPU使用memory的資料。